• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • January 25th, 2021
  • Home
  • Advertise
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
Home
Technology News
Google News

Hacker finds flaw in Gmail allowing anyone to hack any email account

November 4th, 2016 Uzair Amir Security, Google News, Hacking News, Technology News 0 comments
Hacker finds flaw in Gmail allowing anyone to hack any email account
Share on FacebookShare on Twitter
Pakistani Student and a White Hat hacker Discovered a Vulnerability in Gmail’s Verification process that Allowed Hijacking of any email Account.

It is a well-known fact that Google loves to give novice programmers, white hat hackers and security researchers an opportunity to prove their skills and capabilities by participating in Google’s Vulnerability Reward program.

Also Read: Android Bug Bounty Program Launched by Google

Google invites researchers from all across the globe to find out flaws in its newest or existing applications, extensions, software and operating system that are available at Google Play, Chrome Web Store and/or iTunes. In return, the successful candidate is awarded prizes. The core objective of these programs is to make Google’s apps and systems more protected and secure.

However, it isn’t an easy feat to accomplish since to qualify for Google’s VRP, it was vital that the bug/vulnerability is identified in any of these categories mentioned below:

“Cross-site scripting,

Cross-site request forgery,

Mixed-content scripts,

Authentication or authorization flaws,

Server-side code execution bugs”

When the vulnerability is identified as a valid one, the hacker can expect to receive up to $20,000 by Google.

Ahmed Mehtab, a student from Pakistan and the CEO of Security Fuse, is the latest to win this prize money by Google. Mehtab discovered a flaw in Gmail’s authentication or verification methods.

If a user has more than one email address, Google lets the user link all of the addresses and also lets emails of the primary account be forwarded to secondary accounts.

Mehtab identified an inherent flaw in the verification bypass method adopted by Google for switching and linking email addresses, which leads to the hijacking of the email IDs. He discovered that the email addresses became vulnerable to hijacking when one of the following conditions occurs:

* When the SMTP of the recipient is offline

* The email has been deactivated by the recipient

* Recipient doesn’t exist or invalid email ID

* The recipient does exist but has blocked the sender

Also Read: 10 Famous Bug Bounty Hunters of All Time
pakistani-hacker-ahmed-mehtab-hacker-finds-flaw-in-gmail-allowing-anyone-to-hack-any-email-account

Mehtab’s profile on Google Vulnerability Reward Program

Here is how hijacking can be conducted: the attacker tries to verify the ownership status of an email address by emailing Google. Google sends an email to that address for verification. The email address cannot receive the email and hence, Google’s mail is sent back to the actual sender and this time it contains the verification code. This verification code will be used by the hacker and the ownership to that particular address will be confirmed.

Watch how it’s done

[fullsquaread][/fullsquaread]

Also Read: How Gmail ID Can Be Hacked Despite Having Google’s Two-Factor Authentication On

This is not the first time when a Pakistani hacker has reported such critical security flaws. Previously, security researcher Rafay Baloch was paid $5000 as a bug bounty for reporting critical flaws in Chrome and FireFox plus $10,000 for exposing a Code Execution / Command Execution vulnerability in PayPal that allowed hackers to execute any command on the server.

Update:

This article has been corrected with an update after being contacted by Ahmed stating that he actually didn’t receive the bug bounty amount yet however one can expect a sum of $20,000 based on Google’s bug bounty payment program.

[src src=”Source” url=”http://blog.securityfuse.com/2016/11/gmail-account-hijacking-vulnerability.html”]SecurityFuse[/src]

  • Tags
  • Bug Bounty
  • gmail
  • Google
  • hacking
  • internet
  • Pakistan
  • Privacy
  • security
  • Vulnerability
Facebook Twitter LinkedIn Pinterest
Previous article Another Country is under massive DDoS attacks - Thanks to Mirai Malware
Next article After Galaxy Note 7, Samsung Recalls Millions of Washing Machines
Uzair Amir

Uzair Amir

I am an Electronic Engineer, an Android Game Developer and a Tech writer. I am into music, snooker and my life motto is 'Do my best, so that I can't blame myself for anything.'

Related Posts
SonicWall hacked after 0-day flaws exploited by hackers

SonicWall hacked after 0-day flaws exploited by hackers

Massive privacy risk as hacker sold 2 million MyFreeCams user records

Massive privacy risk as hacker sold 2 million MyFreeCams user records

Gamarue malware found in UK Govt-funded laptops for homeschoolers

Gamarue malware found in UK Govt-funded laptops for homeschoolers

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

Latest Posts
Man jailed after attempting to buy 3-year-old girl on dark web
Cyber Crime

Man jailed after attempting to buy 3-year-old girl on dark web

41
SonicWall hacked after 0-day flaws exploited by hackers
Hacking News

SonicWall hacked after 0-day flaws exploited by hackers

114
Massive privacy risk as hacker sold 2 million MyFreeCams user records
Cyber Crime

Massive privacy risk as hacker sold 2 million MyFreeCams user records

152

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us